CDT: Cybersecurity bills raise major civil liberties concerns

Grant Gross |
April 5, 2012

A group of cybersecurity bills that the U.S. Congress may soon vote on contain serious privacy and civil liberties flaws, with some of the bills allowing private companies to share a wide range of their customers' online communications with government agencies, the Center for Democracy and Technology said.

A group of cybersecurity bills that the U.S. Congress may soon vote on contain serious privacy and civil liberties flaws, with some of the bills allowing private companies to share a wide range of their customers' online communications with government agencies, the Center for Democracy and Technology said.

The U.S. House of Representatives could vote later this month on two bills focused on encouraging private companies and the government to share cyberthreat information with each other, even though there are major civil liberties concerns with one of the bills and some outstanding questions about the second, CDT officials said during a press briefing Wednesday.

The Senate may vote on information-sharing legislation in May, CDT officials said. CDT raised concerns about four information-sharing bills, all of which would provide legal protections for private companies that share cyberthreat information with government agencies.

"[If] you look at most of these bills closely, you'll see that there are extraordinarily complex civil liberties problems in virtually every one of these bills," said Leslie Harris, CDT's president and CEO.

The Electronic Frontier Foundation has similar criticisms of the cybersecurity bills. Most of the information-sharing bills before Congress don't clearly define what a cybersecurity threat is, thus allowing broad information sharing between private companies and the government for ill-defined purposes, the EFF said.

The first House bill, the Cyber Intelligence Sharing and Protection Act, allows private companies to share broad information about cyberthreats with government agencies, with no requirement to strip out personal information, said Greg Nojeim, CDT's senior counsel. The bill, sponsored by Representative Mike Rogers, a Michigan Republican, would allow U.S. agencies to use the information shared by private companies for other national security and law enforcement purposes, in addition to cybersecurity, he said.

The Rogers bill may also allow private companies to take broad countermeasures against attacks, potentially including counterattacks, Nojeim said. The information-sharing bills "trump all privacy laws" in their permission for companies to share information with government agencies, he said.

The Rogers bill contains no privacy oversight, the EFF said. "The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for 'cybersecurity purposes,'" the EFF said in a blog post. "Just invoking 'cybersecurity threats' is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law."

The Rogers bill has broad support in the House, however, with 106 co-sponsors. Several companies, including AT&T, Microsoft, Facebook, Intel and IBM, have also voiced support. The bill "provides a solid framework and useful legal protections to permit the timely flow of actionable threat information in order for organizations to better protect themselves and customers," Christopher Padilla, IBM's vice president of governmental programs, wrote in a November letter to Rogers.